Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2009-0157 to a friend New vulnerability? New tool? Tell us	CVE-2009-0157 Apple CFNetwork Heap Based Buffer Overflow     Credit: The information has been provided by Moritz Jodeit. The original article can be found at: http://www.nruns.com/security_advisory.php Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2009-0157 Details Check for CVE-2009-0157 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Apple Mac OS X version 10.5.6 Each HTTP header received from a web server is first capitalized. I.e. the first character of the header name is upper-cased while all remaining characters are lower-cased. Inside the CFNetwork framework the _CFCapitalizeHeader() function is used for this purpose. The first thing this function does is to convert the header name into UTF-16 encoded form. Depending on the length of the header name the result is either stored in a local stack buffer or in a buffer allocated on the heap. For all header names > 511 bytes a heap buffer is allocated as follows: __text:00003A35 loc_3A35: __text:00003A35 mov esi, [ebp+var_810] __text:00003A3B add esi, esi __text:00003A3D mov [esp+838h+var_838], esi __text:00003A40 call _malloc At address 0x00003A35 the length of the header name is stored in %esi and then doubled to hold the UTF-16 encoded variant. After the buffer was allocated some variables are setup. At 0x00003A4D the destination pointer for the following memory copy operation is stored. __text:00003A45 add esi, eax __text:00003A47 mov [ebp+var_81C], eax __text:00003A4D mov [ebp+var_814], esi __text:00003A53 mov [ebp+var_818], eax Note that in contrary to the stack buffer, where a pointer to the _start_ of the buffer is stored in [ebp+var_814], this code stores a pointer to the _end_ of the allocated buffer. The following memory copy loop starting at 0x00003AD1 then stores the UTF-16 encoded header name not inside the buffer, but directly after it which leads to an exploitable heap-based buffer overflow. Patch Availability: Apple has issued an update to correct this vulnerability. More details can be found at: http://support.apple.com/kb/HT1222 CVE Information: CVE-2009-0157 Disclosure Timeline: 2009/04/17 Initial notification of Apple including n.runs RFP 2009/04/27 Received response from Apple about planned disclosure date 2009/04/29 Received update from Apple about adjusted disclosure date 2009/05/12 Apple issues updates  Comments on CVE-2009-0157:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®